On Mon, 10 Nov 2003 21:09:44 -0800 Todd Lyons <[EMAIL PROTECTED]> forwarded:

>   reviewing the logs, I have seen a large number of GETs 
>   in /var/log/httpd/*.log with verrrrrrrrrrrrry long 
>   pathnames and/or requests to xxx.xxx.xxx:25. I think that
>   is how they got in.

Not "in"; but "through"...  I pointed this out to David in a private mail
along with the below quick test for proxying...  Seems that using ":25" is
a twist that I hadn't seen; but then again, most of us have turned off
proxying after this was raised here months ago...

Part of my msg to David:
> Hmmm...  wonder if this is related to the www relaying that can happen
> in an apache server...  [testing your address...]  port 80 is blocked...
>  is
> this done by your ISP?  The way to check for httpd relaying is simple:
>    telnet <IP> 80
>    [connected messages]
>    GET http://some.remote.site HTTP/1.0<enter>
>    <enter>
> 
> If the returned page is from some.remote.site, your server is an open
> relay...  I've seen this long ago and suspected people were using this
> to bump hit-counters causing possible charges ($$) between target and
> advertiser.  Dunno if this could be used to relay mail; but would not be
> surprised.

It appears that adding ":25" was a pretty simple hack to abuse the apache
proxying...  yet another reason for everyone to verify that mod-proxy is
disabled....

Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Reply via email to